3 Replies Latest reply on Jun 23, 2017 5:23 AM by timothyb

    Use Macros to bypass Application Manager

    BenAtt Rookie

      Hello everyone,

       

      So we are running AM 8.9 SP3 on our XenApp/XenDesktop platform here. We had a pentest a few months back and they identified a loophole where you can bypass all the AM controls by using an excel macro to launch an application instead..  We logged it with support and was told it was fixed in 10.1, which we tried and it was. However, we do not particularly want to move to 10.1 after being told by many people not to.

       

      The support team advised us that it related to this, https://community.ivanti.com/docs/44953 but as this only relates to regedit.exe it doesnt really do it justice to the size of the hole it creates.

       

      We tried running applocker underneath to belt and braces, but this had a knock on effect with appsense custom actions.

       

      Has anyone else encountered this same issue? I dont really want to post the macro code on here at the moment but i can pass it on to the developers if you want to try it anywhere

        • 1. Re: Use Macros to bypass Application Manager
          timothyb SupportEmployee

          With regards to the Regedit issue in the document you highlighted, the fix isn't just for regedit.exe exclusively but the scenario that surrounds it.  The document covers the situation in more detail

           

          Are you able to test AM 10.1 FR1 on an endpoint within your environment to see if the issue with the Macro of concern is resolved?

           

          If the Macro uses an alternatively approach to launch an application, please can you raise an incident with Support so that this can be investigated and patched?

           

          With regards to AM 10.1, is there a particular issue that is preventing an upgrade?  There was a new filter driver in AM 10.1 which had two performance issues.  These were patched and fixed in AM 10.1 FR1.

          • 2. Re: Use Macros to bypass Application Manager
            BenAtt Rookie

            Hi Timothy,

             

            Thanks for the message

             

            We did log it with the support.. Case# 00983314

             

            The final response was "I can confirm this is no current workaround in 8.9 to remedy this issue. This has only been resolved in Application Manager 10.1, this fix regarding Excel Macros can also be viewed in the release notes;

             

            https://community.ivanti.com/docs/DOC-46096 "

             

            We tested it and it was fixed in 10.1 but we cant just do that overnight.. We were told there would be no fix produced for 8.9 SP3

             

            For reference it contains this line, that's how you get around AM

             

            set obj = CreateObject("winmgmts:\\" & strcomputer & "\root\cimv2:win32_process")

             

            happy to email the file over if you are interested in the whole macro

             

            thanks

            • 3. Re: Use Macros to bypass Application Manager
              timothyb SupportEmployee

              From a review of the incident it appears that you confirmed the issue has been resolved in AC 10.1.  Typically the route of least resistance would be to upgrade to AC 10.1.  As you already have an incident, at this time I would suggest reopening it rather than addressing this over the forum.  It maybe possible to submit a hotfix request for the Product Management team to review.  Hotfixes are only generated for the biggest impacting issues as they take significant Development and QA time to produce.